CPanel - Arbitrary File Viewing

.:: DESCRIPTION ::.
CPanel is the industry leader for turning standalone servers into a fully automated point-and-click hosting platform. Tedious tasks are replaced by web interfaces and API-based calls. cPanel is designed with multiple levels of administration including admin, reseller, end user, and email-based interfaces. These multiple levels provide security, ease of use, and flexibility for everyone from the server administrator to the email account user.

.:: SUMMARY ::.
Affected Version: 11.24.5-RELEASE
Tested Platform: Linux

A vulnerability has been discovered in CPanel which allows users to traverse directory and view arbitrary files at their discretion regardless of server security restrictions.

.:: DETAILS ::.
Not available to the public or to the users with basic VIA Agent's subscription.

.:: IMPACT ::.
An attacker can leverage on this vulnerability to obtain more information about the server and gain further access or escalate his privilege. The vulnerability has been confirmed to work and allow bypass of server security restrictions such as suphp, suhosin, jailshell, and et al.

.:: AUTHOR ::.
Phuong Nguyen